On Sat, 15 Sep 2012, [email protected] wrote: >> Hi, >> >> >> I have a Kerberos-based SSO system. The Kerberos realm is >> "CORP.EXAMPLE.COM". Every service has its own domain name, such as >> "imap.corp.example.com", "wiki.corp.example.com" and so on. >> >> Now I can login these services on Debian sid. But it always fails on >> Windows XP. >> >> I've configured Firefox by setting the following preferences: >> >> network.negotiate-auth.trusted-uris = corp.example.com >> network.negotiate-auth.using-native-gsslib = true >> network.auth.use-sspi = false > > Why did you disable SSPI? This works quite well with Unix-based servers.
Off the top of my head (and my memory may be incorrect), the windows SSPI libraries only access credentials in the windows LSA credentials store, which is not populated by stock KfW 3.2. With respect to the OP's question, KfW 3.2 is based off MIT krb5 version 1.6, which is rather old. It might be worth just giving your services credentials named for the service's domain name (e.g., wiki.corp.example.com) as a workaround so the server principal name matches the server name. -Ben Kaduk ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
